[PrivacyBadger] Pushing Privacy Badger's buttons, part 2

'Don Marti' dmarti at zgp.org
Mon Sep 12 06:19:14 PDT 2016 

I have made some progress on this.

There is now an "un-tracking pixel" that will just set
the Aloodo cookie -- no third-party JavaScript
required.

Faster than running the whole script.  And it comes
with a long "Expires:" time, so the browser won't
re-load it for every page.

  http://blog.aloodo.org/misc/howto/#pixel

Good for

 * sites that want to help but don't want to show
   tracking warnings

 * sites that are concerned about load times and
   bandwidth

 * sites that don't want to run 3rd-party JS

 * sites that can add an image but not a script (for
   example, those hosted on Wordpress.com)

So now there can be some sites running the whole
Aloodo script, to warn users, and some sites just
running the pixel, to pre-prime the browsers so the
script can get better results.


begin Mike O'Neill quotation of Sat, Apr 16, 2016 at 05:19:04PM +0100:
> 
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> Thinking about this I think a better "block me" response would be a Tracking Status Value of "D", which means the web application is "Disregarding" DNT.
> 
> T could be a valid TSV when Tracking for one of the permitted uses is happening, although the particular permitted use must be declared in the "qualifiers" property. PB could check for a T along with an absent "qualifiers" property, or one that does not have one of the permitted use codes, but that seems long winded. A "D" would be simpler.
> 
> So either the TSV includes:
> 
> { "tracking": "D", ... }
> 
> Or there is a response header "Tk: D"
> 
> I am writing an implementers guide to DNT (for the TPWG) that will include that suggestion.
> 
> Mike
> 
> - -----Original Message-----
> From: PrivacyBadger [mailto:privacybadger-bounces+michael.oneill=baycloud.com at eff.org] On Behalf Of Cooper Quintin
> Sent: 12 April 2016 02:56
> To: privacybadger at eff.org; Don Marti <dmarti at zgp.org>
> Subject: Re: [PrivacyBadger] Pushing Privacy Badger's buttons, part 2
> 
> Actually this seems like a pretty good solution to Don's problem and one
> that we should maybe adopt anyway. There are other benefits to reading
> the TSR as well such as getting a list of first parties. I would likely
> support this change.
> 
> - - Cooper
> 
> On 04/09/2016 11:31 AM, Mike O'Neill wrote:
> > Why not agree on a "block me" signal. Any reference to a third-party marked in a particular way will cause the request to be blocked by tracking protection i.e. PrivacyBadger
> > 
> > The Do Not Track (candidate) recommendation contains such a signal. A TSR (a JSON resource at //ad.aloodo.com/.well-known/dnt ) with Tracking set to "T" ( { "Tracking": "T", ... } when accessed with the DNT set (DNT:1), would signal refusal to stop tracking, i.e. block me. You could also do it by returning a Tk: T to any ad.aloodo.com  resource.
> > 
> > 
> > 
> > 
> > -----Original Message-----
> > From: PrivacyBadger [mailto:privacybadger-bounces+michael.oneill=baycloud.com at eff.org] On Behalf Of Don Marti
> > Sent: 09 April 2016 18:48
> > To: privacybadger at eff.org
> > Subject: [PrivacyBadger] Pushing Privacy Badger's buttons, part 2
> > 
> > Still working on tools that a web site can use to
> > notify users when they're vulnerable to third-party
> > tracking.
> > 
> > Here's the problem.
> > 
> >  * If the script warns the user when a third-party
> >    iframe loads, it will falsely notify some users
> >    of an "untrained" Privacy Badger.
> > 
> >  * If we wait to notify until we're sure that a
> >    third-party cookie can be set and read on three
> >    sites, then we miss a chance to notify some users
> >    of list-based protection who haven't been to enough
> >    sites that include the iframe.
> > 
> > One solution is...put the https://ad.aloodo.com/track/
> > iframe everywhere!!1!1  Even if you don't want to run
> > tracking notifications on your own site, the iframe
> > will train Privacy Badger to block it, so the cookie
> > test will work when the user goes to a site that does
> > do notifications.  Still looking for other solutions.
> > 
> > Anyway, more here:
> > 
> >   http://blog.aloodo.org/posts/track-js-script/
> > 
> > Comments and suggestions welcome.
> > 
> > 
> > _______________________________________________
> > PrivacyBadger mailing list
> > PrivacyBadger at eff.org
> > https://lists.eff.org/mailman/listinfo/privacybadger
> > 
> _______________________________________________
> PrivacyBadger mailing list
> PrivacyBadger at eff.org
> https://lists.eff.org/mailman/listinfo/privacybadger
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1
> Comment: Using gpg4o v3.5.54.6734 - http://www.gpg4o.com/
> Charset: utf-8
> 
> iQIcBAEBAgAGBQJXEmX3AAoJEOX5SQClVeMP1hkP/jxYepxjFAwZe0k4Q6o2F1ny
> xbNRJ9i2AqggxOwwG8+SofVaSFsrNboF7iAq2kvR0t5hdOJZOCUFEhE4AVJtevQG
> gbjpBm4sxcecoroTbop1DVRAJ3zMkvt1sWBsi857uo2qR2uqivnDi3g7eyw/FKuP
> C8ySGKpnS2BBE1cTIbvaoIk7FX1joBJHn1UXL2ESfPAkt747d6Kq/g40/Cr/nIA7
> u60MHB5BRDInHYNj+ZgHpZD6ChzTrWhbhSsde0qZnv7MHn7G5dfcUmNrC7kWG4yk
> q0MiRQ7eEFeYLgttvVUFO4qj/9Wr3SJLazi1EusIIFgBugX9mqSM8EfGjOcF2+WP
> M99AlM8c1ijaFZfBYkuwMepMlEjPv77JuvIZLbItZZilcfsGrao4KKBEV4ogEbsl
> 3CxDWkPcTG/0z4A8grLuhrECWD37PMRk4/bMWexo5GlMJ4k4wx9dHS2Hh3Is/5sg
> 8NjQlKNL4O0SnTQECo4l9/A3xVfLRKI1HdrlIbcZuIPSsuGAzuXN0HnYn9XkUxIu
> Isd/+iE4+YavZ9e+ijQu/hYPsUHnjH+AxYas0C8yocMP6lQ8cO6O+hiB7hFZekBA
> nLXJu2CU6msx7d7h/tqIMnxeCc8jMqN8g/Sg+fb7EwvCll5WF3Dz00WunmI1SCxC
> jK1ecbHjKGsByZWOWZ/l
> =VmiJ
> -----END PGP SIGNATURE-----
> 

-- 
Don Marti <dmarti at zgp.org>                   
http://zgp.org/~dmarti/
Are you safe from 3rd-party web tracking?  http://www.aloodo.org/test/

More information about the PrivacyBadger mailing list